Policy AD-101 Confidentiality of Information 2023-04-25

Purpose

The purpose of this policy is to specify the obligations and duties of individuals associated with Westside Family Healthcare (Westside) regarding protection of confidential information and to provide safeguards to prevent these affiliated individuals from disclosing confidential information about Westside, including circumstances which entail a violation of relevant federal or state law and/or of applicable contractual or fiduciary duties.  

This policy also supports Westside’s compliance with certain requirements in Chapter 10: Quality Improvement/Assurance and Chapter 21: FTCA Deeming Requirements of the HRSA Health Center Program Compliance Manual, as well as relevant standards in the Information Management (IM) and Rights and Responsibilities of the Individual (RI) chapters of The Joint Commission (TJC) Comprehensive Accreditation Manual for Ambulatory Care (CAMAC).

Policy

Westside takes reasonable and appropriate measures to maintain confidentiality of information (oral, written, and electronic) related to the organization and its patients, employees, partners, and vendors.  

All individuals affiliated with Westside (“affiliated individuals”) must protect confidential information.  Employees, contractors, students, interns, volunteers, Board members, and relevant others may gain access to non-public, confidential information about Westside’s operations by virtue of their position within or affiliation with Westside.  These individuals may not communicate confidential information about or related to Westside to any unauthorized parties within or outside the organization, unless explicitly authorized to do so by the Westside President & CEO or full Board of Directors (as confirmed by the Board Chair).  Affiliated individuals are expected to exercise reasonable care to avoid inadvertent disclosure of confidential information and are bound by and required to comply with this AD-101 policy, any signed confidentiality statements or agreements, and the procedures detailed below.  If Westside executes an agreement with another entity that includes provisions governing confidentiality of information, relevant affiliated individuals are bound by and required to comply with those provisions as well.

As a health center and service organization functioning in a particularly private and personal area of its patients’ lives, Westside is committed to keeping all aspects of the patient relationship with the organization confidential to the fullest extent possible.  For the purpose of this policy, Westside considers a patient anyone who seeks its help or services, in any form, whether or not he or she is formally registered in its records.  Westside maintains the confidentiality of patient records, including all information as to personal facts and circumstances.  Every piece of written or electronic material related to a patient is treated as confidential, not to be handled or seen at any time by anyone other than authorized parties.  Confidential patient information is not to be discussed in public areas or with unauthorized parties.  Westside does not divulge information without a patient's consent, except as may be required by federal or state laws and regulations or as may be necessary to provide necessary service to the individual or meet federal or state audit requirements.

Westside utilizes a certified electronic medical records (EMR) system and other record-keeping procedures for maintaining and monitoring the confidentiality, privacy, and security of protected health information (PHI), including safeguards against loss, destruction, or unauthorized use that are consistent with federal and state requirements.  Westside implements reasonable and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI.  Procedures that meet the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and other applicable privacy laws that aim to protect PHI are found in separate Westside policies and documents, as detailed in the procedures below.  Westside ensures that its employees and other relevant affiliated individuals are trained in confidentiality, privacy, and security of patient information.

Westside protects confidential employee information contained in its records and limits access to such information to those that have a business-related need to know.  Westside takes all reasonable steps to maintain the confidentiality of employee personal identifying information (PII), including limiting access to and ensuring safe storage and disposal of PII, as required by state law.  In accordance with requirements of the Americans with Disabilities Act (ADA) and HIPAA, Westside maintains employees’ medical and disability information confidentially and keeps them separate from their personnel files.  

Any internal, non-public documents used by Westside in the normal course of business, such as business plans, financial data, budgets and forecasts, policies, procedures, and forms belong to Westside, and these materials may not be disclosed to anyone outside of the organization unless specific permission is obtained from the President & CEO.

Westside maintains strong information technology and record of care policies and practices to protect the confidentiality of electronic (e-PHI), electronic PII, and all other electronic confidential or proprietary information, as discussed further in the procedures below.

This policy is not intended to prevent employees from discussing their terms and conditions of employment or to otherwise interfere with their rights protected by federal and state labor laws.

Scope

This policy applies to Westside Board Members, employees, contractors, students, interns, volunteers, and any other relevant individuals affiliated with Westside who may gain access to confidential information.

Definitions

Affiliated Individuals – Anyone associated with Westside who may gain access to confidential information about Westside by virtue of their position within or affiliation with Westside, including but not limited to employees, contractors, students, interns, volunteers, and Board members.

Board Chair – The Chair of the Board of Directors of Westside.

Board Member(s) – One or more members of the Board of Directors of Westside.

Confidential Information – Any and all information (whether written, oral, or electronic) relating to the governance, business, operations, and financial condition of Westside Family Healthcare (including information about its patients and employees) and/or any of its collaboration partners or vendors, as well as any and all other information that is determined to be confidential or proprietary.  

Unauthorized Parties – Any individuals/persons, organizations, or entities that are not authorized to have access to or knowledge of pertinent confidential or propriety information for valid Westside governance, business, operations, or financial purposes.

Procedures

Employees and Other Affiliated Individuals

• 1. Employees, contractors, students, interns, and volunteers are required to sign a confidentiality agreement at the beginning of their employment or association with Westside.
     1. Others affiliated with Westside may also be required to sign a confidentiality agreement.
  2. Chief officers and directors are required to sign the Annual Confidentiality, Conflicts of Interest, and Exclusions Statement, in which they acknowledge that they have read this AD-101 Confidentiality of Information policy and understand and will comply with the expectations contained herein.
  3. Employees, contractors, students, interns, volunteers, and relevant others must not:
     1. share confidential information with unauthorized parties within the organization of Westside or unauthorized parties outside the organization of Westside, unless the President & CEO has provided appropriate authorization;
     2. discuss confidential information in public places, inside or outside the organization of Westside;
     3. replicate confidential information and/or store it in an insecure location or on an insecure device; or
     4. use confidential information for personal gain or for the benefit of a third party.  
  4. Employees, contractors, students, interns, volunteers, and relevant others are expected to:
     1. take measures to ensure confidential information is not visible to others, either on their desk or on their computer screen(s);
     2. lock or secure confidential information contained on paper at all times, when not in use;
     3. lock their computers when they leave their workstations, including at the end of the day;
     4. clear their desks of any confidential information before leaving at the end of the day;
     5. dispose of all confidential information printed out on paper in the shredding bin when no longer needed;
     6. keep confidential documents on Westside premises, unless absolutely necessary to remove them;
     7. view confidential information only on secure devices.
  5. Employees, contractors, students, interns, volunteers, and relevant others are expected to be familiar with the following confidentiality-related policies:
     1. All Westside policies and procedures that protect the privacy of Protected Health Information (PHI), including administrative policy AD-500 HIPAA Breach Notification;
     2. Westside record of care policy RC-101 Medical Records: Release of Protected Health Information (PHI), in particular the approval procedures for releasing PHI and the exceptions;
     3. Westside provision of care policy PC-311 Informal Disclosure of Protected Health Information to Patients’ Family, Friends, or Others;
     4. Westside information technology policies applicable to maintaining the confidentiality of electronic PHI (e-PHI), electronic personal identifiable information (PII), and other relevant confidential or proprietary information maintained in electronic media: IT-STF100 Information Technology Sanction Policy, IT-STF101 IT Terms of Use, and IT-SEC101 Access Management; and
     5. Westside administrative policy AD-710 Document Retention and Destruction, in particular those procedures meeting regulatory requirements to maintain confidentiality of information.
  6. Employees, contractors, students, interns, and volunteers (particularly those providing clinical and other direct patient services) are expected to be familiar with exceptions to the sharing of confidential information and patient information, which include:
     1. circumstances in which PHI may be released without written patient authorization, as detailed in RC-101 Medical Records: Release of Protected Health Information (PHI),
     2. circumstances in which PHI may be released without written patient authorization, as detailed in PC-311 Informal Disclosure of Protected Health Information to Patients’ Family, Friends, or Others; and
     3. circumstances involving mandatory reporting to a state regulatory body, as detailed in the following Westside policies:
        1. PC-701 Mandatory Reporting of Child Abuse and Neglect;
        2. PC-702 Adults in Need of Protective Services; and
        3. PC-703 Human Trafficking.
  7. Employees and other affiliated individuals who are unsure whether information should be kept confidential should consult with their supervisor, the Privacy Officer, and/or the Corporate Compliance Officer before disclosing the information or taking any other action using the information.
  8. Violations
     1. Violations of this policy must be reported promptly to the President & CEO.
        1. If the President & CEO has violated the standards, notice must be given to the Board Chair.
     2. Employees who violate these standards may, depending on the severity of the violation, be subject to counseling, verbal reprimand, written reprimand, reassignment, demotion, suspension, or separation from employment, in addition to legal penalties which may apply.

Board Members

• 1. Board members are required to sign the Annual Confidentiality, Conflict of Interest, and Exclusions Statement, in which they acknowledge that they have read this AD-101 Confidentiality of Information policy and understand and will comply with the expectations contained herein.
  2. All information communicated at monthly Board meetings or Board committee meetings or any other closed sessions/meetings of the Westside Board of Directors shall be treated as confidential and proprietary by all Board members.  
     1. Westside’s Board of Directors or its President & CEO may determine that other information is confidential or proprietary on a case-by-case basis.
  3. Board members have a fiduciary duty to not communicate confidential or proprietary information about Westside obtained during their tenure of service to anyone who is not also a member of the Board, absent the explicit authorization of the full Board of Directors (as confirmed by the Board Chair).
     1. Exceptions include Westside leadership who attended relevant Board of Directors (Board) meetings and/or Board committee meetings at which the particular confidential information was discussed or were otherwise made privy to that information for authorized business purposes.
  4. Board members must not use confidential information for personal gain or for the benefit of a third party.  
  5. Violations
     1. Board member violations of this policy must be reported promptly to the Board Chair and the President & CEO.
     2. Board Members who violate Westside’s confidentiality standards may, depending on the severity of the violation, be subject to oral admonishment or removal from the Board.

Employee Records

• 1. Employee records are maintained confidentially, with access at Westside limited to employees who have a business-related need to know, such as human resources staff, supervisors, and safety personnel.
  2. In accordance with Title I of the Americans with Disabilities Act (ADA), Westside maintains the confidentiality of specified types of employee medical and disability information, including but not limited to medical information solicited from employees for fitness for duty statements, employee FMLA leave requests, and employee requests for reasonable workplace accommodations.
  3. In accordance with relevant federal regulatory requirements (ADA and HIPAA), all employee medical records, whether solicited by Westside or provided voluntarily by the employee, are maintained separate from the employee’s general personnel records and in a location accessible only to authorized individuals.
  4. Employee I-9 forms are maintained confidentially and separate from the employee’s personnel file/records, as recommended by the United States Citizenship and Immigration Services (USCIS).
     1. I-9 forms are retained securely and destroyed on a schedule based on the appropriate state and federal regulatory requirements.
  5. Westside stores and handles employee personal identifying information (PII), whether on paper or electronic, in a manner as to maintain confidentiality and in accordance with Delaware code.
     1. PII includes but is not limited to: social security number, driver’s license or state identification card number, insurance policy number, financial services account number, bank account number, credit card number, debit card number, tax or payroll information, and confidential health care information.
     2. Only leadership and staff with a business need are permitted access to employee PII.
     3. When disposing of records containing employee PII, Westside takes all reasonable steps to dispose of the records in a manner that will make them unreadable or indecipherable.  

Training

• 1. To ensure awareness and understanding, employees and all other affiliated individuals are trained at the beginning of their employment or association with Westside, and then annually thereafter, on this AD-101 Confidentiality of Information policy and their duties with regard to maintaining confidentiality.
  2. As part of Westside’s risk management program (and to meet a HRSA FTCA program requirement), all employees are required to take an annual training on HIPAA medical record confidentiality requirements, as detailed in policy AD-460 Health Care Risk Management Training Plan.
  3. As a part of its information technology risk management strategies (and to meet a HIPAA requirement), Westside requires all employees to take an annual IT security training, as referenced in policy IT-STF101 IT Terms of Use.

References

1. HRSA Health Center Program
   1. Chapter 10: Quality Improvement/Assurance, Element F: Confidentiality of Information. HRSA Health Center Program Compliance Manual, August 2018. (https://bphc.hrsa.gov/compliance/compliance-manual/chapter10)
   2. Quality Improvement/Assurance, Element F: Confidentiality of Information. HRSA Health Center Program Site Visit Protocol (SVP), April 13, 2023. (https://bphc.hrsa.gov/compliance/site-visits/site-visit-protocol/quality-improvement-assurance)
   3. Chapter 21: FTCA Deeming Requirements, Risk Management. HRSA Health Center Program Compliance Manual, August 2018. (https://bphc.hrsa.gov/compliance/compliance-manual/chapter21)
   4. FTCA Deeming Requirements, Risk Management. HRSA Health Center Program Site Visit Protocol (SVP), April 13, 2023. (https://bphc.hrsa.gov/compliance/site-visits/site-visit-protocol/federal-tort-claims-act-ftca-deeming-requirements)
2. The Joint Commission (TJC)
   1. Information Management (IM)
      1. IM.02.01.01 – The organization protects the privacy of health information.
      2. IM.02.01.03 – The organization maintains the security and integrity of health information.
   2. Rights and Responsibilities of the Individual (RI)
      1. RI.01.01.01 – The organization respects patient rights.
      2. RI.01.03.05 – The organization protects the patient and respects the patient's rights during research, investigation, and clinical trials.
3. Laws and Regulations
   1. Health Insurance Portability and Accountability Act (HIPAA) of 1996, Privacy and Security Rules, 45 CFR Part 160 and Subparts A and E of Part 164
   2. Health Information Technology for Economic and Clinical Health (HITECH) Act, Health Information Privacy Section 13101 - 13424 of Title XIII of the American Recovery and Reinvestment Act of 2009
   3. Americans with Disabilities Act (ADA), 42 U.S.C. § 12112(d)(3)(B); §12112(d)(4)(C).
   4. The Privacy Act of 1974,
   5. Delaware Code Title 19 § 736. Safe destruction of records containing personal identifying information. (https://delcode.delaware.gov/title19/c007/sc04/index.html)
   6. National Labor Relations Act (NLRA) (https://www.nlrb.gov/guidance/key-reference-materials/national-labor-relations-act)  
   7. Delaware Code Title 19 § 711. Unlawful employment practices; employer practices. (https://delcode.delaware.gov/title19/c007/sc02/#:~:text=(j)%20It%20shall%20be%20an,the%20wages%20of%20another%20employee.)